Security flaws signal early death of Windows Gadgets

Security flaws signal early death of Windows Gadgets

Summary: Microsoft is pulling the plug on the Windows Sidebar and Gadgets platform ahead of news that security vulnerabilities will be disclosed at this year's Black Hat conference.

SHARE:
86
Microsoft is speeding up plans to kill off the Windows Gadget platform after receiving word that serious security vulnerabilities will be disclosed at the upcoming Black Hat security conference.

According to a brief abstract from the Black Hat site, researchers Mickey Shkatov and Toby Kohlenberg plan to discuss weaknesses associated with Windows Sidebar and Gadgets and demonstrate "nastiness" that can be done on the platform.

follow Ryan Naraine on twitter

Microsoft drops surprise IE patch, fixes under-attack Windows zero-day ]

"Gadgets are comprised of JS, CSS and HTML and are application that the Windows operating system has embedded by default. As a result there are a number of interesting attack vectors that are interesting to explore and take advantage of. We will be talking about our research into creating malicious gadgets, misappropriating legitimate gadgets and the sorts of flaws we have found in published gadgets," the researchers said.

Microsoft was already planning to deprecate Sidebar and Gadgets in the upcoming Windows 8 but, after working with Schkatov and Kohlenberg ahead of Black Hat, the company decided to push for the immediate death of the platform.

From the MSRC blog:

As many of you are aware, Windows 8 will deprecate the Sidebar and Gadgets, and Gadget developers are already shifting their efforts to the online Windows Store. Meanwhile, we’ve discovered that some Vista and Win7 gadgets don’t adhere to secure coding practices and should be regarded as causing risk to the systems on which they’re run. With time running out for the Sidebar and Gadgets and with developers already moving on, we’ve chosen to deprecate the Windows Gadget Gallery effective immediately, and to provide a Fix it to help sysadmins disable Gadgets and the Sidebar across their enterprises.

The company released a security advisory with information to help system administrators disable the Windows Sidebar and Gadgets on supported versions of Windows Vista and Windows 7 with one Fix it click.

Microsoft did not provide details on the vulnerabilities but warned that there is a risk of remote code execution attacks.

"An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system," Microsoft warned.

This automated Fix-It will disable the Windows Sidebar experience and all Gadget functionality on affected machines.

Topics: Security, Microsoft, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

86 comments
Log in or register to join the discussion
  • Deprecate - a daft word

    What a daft word. Why not just say what you mean.
    from WP deprecation is a status applied to features, characteristics, or practices to indicate that they should be avoided, typically because they have been superseded.
    In other words what they are saying is, 'You might want to think twice before you use this gadget.
    At home we love the temperature gadget as well as the currency converter and calendar.
    Ashtonian
    • Another EPIC FAIL on MS's part

      It was just another resource hog on 32bit machines and added to the boot-up times and crapware that auto-loaded through the msconfig services tab.

      Now they can't even lock them down. What a joke.
      CaviarBlack
    • it's not just WP terminology

      it's industry standard terminology
      danekan
      • But Somewhat Misused

        The most direct normal industry meaning is obsolete, unsupported, and replaced by a superior functional successor implementations.

        Its spin doctoring to leverage that connotation when you really mean removed without successor due to secure implementation being unfeasible.

        However, this use is not unknown, since MS is certainly not the first corp to spin doctor product failure and withdrawal under this term nor is this MS first use.
        wellduh
        • Latin etymology

          The source of the word means something you pray for deliverance from. Perhaps it should be extended.
          JelMin
    • pot; kettle; black

      Why not use "spelled-out" terms. WTF is WP?

      I guess we're all supposed to "k-n-o-w" that it is 'Word Press.' ?

      I do agree that 'deprecated' is a rather idiotic term. Better terms might be "replaced," "superseded" or "tossed in the junk-pile."

      ;-)
      bitdoctor
      • More direct?

        More direct would be "withdrawn from public endorsement in a panic without true functional replacement in sight".
        wellduh
        • Better Single words?

          Withdrawn or decertified (almost as bad as depreciated but less spin doctoring connotations) or rejected or severed


          Exiled

          or outlawed (maybe too far but clear about what actions to take)


          Two words "dishonorably discharged" are 100% accurate summary of situation and recommended actions.

          Three words "marked for deletion" would be 100% clear about status and recommendations though. Four words
          wellduh
          • Severed

            Severed ! Good one. Like a gammy arm being hacked off to prevent the infection spreading. No spin there ;-)
            zfactory
    • Get yourself a new dictionary

      Yeah, I think that the word "Deprecate" is much easier than saying "a status applied to features, characteristics, or practices to indicate that they should be avoided, typically because they have been superseded"

      Yeah...deprecate wins every time!
      tech_ed@...
    • "Deprecate": Why not just say what you mean?

      They did. Just because you were too lazy to pick up a dictionary doesn't mean the word is "daft" and meaningless.
      mwidunn
  • I like my Windows Gadgets

    Have a couple I use for work. Make it easy to remote assist and manage clients on an active directory. Also some to monitor system performance. It is a shame that they did not develop this more.
    bobiroc
    • Ditto for the, what was it called in Vista, the animated wallpapers...

      Still, since it might cost them more to fix, it would be cheaper to ditch it while getting the marketing department to whip up some snazzy spin to make customers feel better about it.

      The last I recall, Aero is going to get a similar fate - to get the frosted glass look takes GPU power. Tablets have as much power as a tranquilized gnat. So rescind that while finding an excuse to shroud or bypass the actual truth with... (and, quite honestly, Win7's GUI looks more professional with it when enabled, but whatever - it's being nixed for Win8, whose GUI, plain as it is, at least feels relevant - for tablets and phones and other touch-based screens of a certain size...)
      HypnoToad72
      • "RESCIND" is the most honest description.

        DEPRECATE means to reduce in value/functionality.
        RESCIND means to cancel/withdraw from use.

        Which is the more honest description?
        Steve__Jobs
        • Now I am in two minds

          Severed is great, but Rescind is precise. You are in the professional league. It would be nice to have a hint of cleaver about it though.
          zfactory
    • They marketed the OS with this feature...

      This was a featured marketed by MSFT as a new feature that if one upgraded from XP they would gain. Now they want to eliminate it... will they force you to upgrade to 8 to get "live tiles" or are they just pulling the wool over... ? It's a minor thing to some but I could see this turning into a class action suit. It just seems really, really lazy on Microsoft's part. If you bought a car and suddenly it was determined that the radio had a flaw and the manufacturer replaced it with a blank panel, you'd probably be upset, no?

      I admittedly stopped using them mostly when I went from Vista to Win7, but that was mainly due to laziness and retraining myself because they were hidden now by default (at least in some version of win7, not sure about 'home' versions). People whining that they're a resource hog are probably the type that will whine no matter what, it consumes very little actual cpu, memory, or disk resource.
      danekan
      • Forcing me?

        No, I don't think that MS can "force [me] to upgrade to 8"...but they are encouraging me to upgrade to OS/X. I'm way too old for a Play Skool interface anyway, so I'm not all that resistant to their pushing me off of Windows. This is just another reason to let it happen.
        plonk@...
        • if anything is play skool, its OSX

          can't imagine anyone switching from windows to osx to get away from kiddie level stuff, that is just back assward. its always the other way around. if you are even an intermediate level windows user, you will feel like you have one hand tied behind your back the entire time you're on a Mac. as apple turns osx into something more and more like iOS with each update, its only getting worse and worse.
          aawolfe@...
      • They tried again to integrate web IT directly into the desktop...

        But again hit the same two walls EVERY SINGLE desktop widget or enhancement application or utility runs into...

        a) They chew resources like a hungry bear - tried many over the years, even developed for a couple, but they ALL add a tonne of bloat to all but the high-end systems

        b) Integrating web-tech into the PC user-interface ALWAYS represents a hazard (unless severely sandboxed making far less usable in most OS's)... it is just a matter of how much attention that given platform receives from hackers and malware writers... unfortunately in the case of MS and Windows, that will always be a lot of attention.

        Sorry to add factual info amongst all the rants but there you go...
        kaninelupus
  • So I Guess

    Its time for rain meter. I just like having a cpu gadget and a network gadget on the desktop.

    Instead of fixing the capability I guess they are killing it so they can say the functionality is replaced by live tiles in Win8. They really don't replace the functionality because gadgets can be seen while an application is running windowed, something that can't be done in Win8 with live tiles.
    txscott